diff --git a/.github/workflows/pr_test.yml b/.github/workflows/pr_test.yml
@@ -0,0 +1,198 @@
+name: "PR Testing"
+
+on: [pull_request]
+
+env:
+  HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6
+  HONEYCOMB_DATASET: litmus tests
+
+jobs:
+  setup_matrix:
+    name: "Setup Test Matrix"
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.get-matrix.outputs.matrix }}
+
+    steps:
+      - name: "Honeycomb: Start recording"
+        uses: kvrhdn/gha-buildevents@v1.0.2
+        with:
+          apikey: ${{ env.HONEYCOMB_WRITEKEY }}
+          dataset: ${{ env.HONEYCOMB_DATASET }}
+          job-status: ${{ job.status }}
+
+      - name: "Honeycomb: Start first step"
+        run: |
+          echo STEP_ID=0 >> $GITHUB_ENV
+          echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+      - name: Checkout Source
+        uses: actions/checkout@v2
+        if: ${{ github.repository_owner == 'puppetlabs' }}
+
+      - name: Activate Ruby 2.7
+        uses: actions/setup-ruby@v1
+        if: ${{ github.repository_owner == 'puppetlabs' }}
+        with:
+          ruby-version: "2.7"
+
+      - name: Cache gems
+        uses: actions/cache@v2
+        if: ${{ github.repository_owner == 'puppetlabs' }}
+        with:
+          path: vendor/gems
+          key: ${{ runner.os }}-${{ github.event_name }}-${{ hashFiles('**/Gemfile') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ github.event_name }}-
+            ${{ runner.os }}-
+
+      - name: Install gems
+        if: ${{ github.repository_owner == 'puppetlabs' }}
+        run: |
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle config path vendor/gems' -- bundle config path vendor/gems
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle config jobs 8' -- bundle config jobs 8
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle config retry 3' -- bundle config retry 3
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle install' -- bundle install
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle clean' -- bundle clean
+
+      - name: Setup Acceptance Test Matrix
+        id: get-matrix
+        if: ${{ github.repository_owner == 'puppetlabs' }}
+        run: |
+          if [ '${{ github.repository_owner }}' == 'puppetlabs' ]; then
+            buildevents cmd $TRACE_ID $STEP_ID matrix_from_metadata -- bundle exec matrix_from_metadata
+          else
+            echo  "::set-output name=matrix::{}"
+          fi
+
+      - name: "Honeycomb: Record setup time"
+        if: ${{ always() }}
+        run: |
+          buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Test Matrix'
+
+  Acceptance:
+    needs:
+      - setup_matrix
+
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix: ${{fromJson(needs.setup_matrix.outputs.matrix)}}
+
+    env:
+      BUILDEVENT_FILE: "../buildevents.txt"
+
+    steps:
+      - run: |
+          echo 'platform=${{ matrix.platform }}' >> $BUILDEVENT_FILE
+          echo 'collection=${{ matrix.collection }}' >> $BUILDEVENT_FILE
+
+      - name: "Honeycomb: Start recording"
+        uses: kvrhdn/gha-buildevents@v1.0.2
+        with:
+          apikey: ${{ env.HONEYCOMB_WRITEKEY }}
+          dataset: ${{ env.HONEYCOMB_DATASET }}
+          job-status: ${{ job.status }}
+          matrix-key: ${{ matrix.platform }}-${{ matrix.collection }}
+
+      - name: "Honeycomb: start first step"
+        run: |
+          echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-1 >> $GITHUB_ENV
+          echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+      - name: Checkout Source
+        uses: actions/checkout@v2
+
+      - name: Activate Ruby 2.7
+        uses: actions/setup-ruby@v1
+        with:
+          ruby-version: "2.7"
+
+      - name: Cache gems
+        uses: actions/cache@v2
+        with:
+          path: vendor/gems
+          key: ${{ runner.os }}-${{ github.event_name }}-${{ hashFiles('**/Gemfile') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ github.event_name }}-
+            ${{ runner.os }}-
+
+      - name: "Honeycomb: Record cache setup time"
+        if: ${{ always() }}
+        run: |
+          buildevents step $TRACE_ID $STEP_ID $STEP_START 'Cache retrieval'
+          echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-2 >> $GITHUB_ENV
+          echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+      - name: Bundler Setup
+        run: |
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle config path vendor/gems' -- bundle config path vendor/gems
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle config jobs 8' -- bundle config jobs 8
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle config retry 3' -- bundle config retry 3
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle install' -- bundle install
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle clean' -- bundle clean
+          echo ::group::bundler environment
+          buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
+          echo ::endgroup::
+
+      - name: "Honeycomb: Record Bundler Setup time"
+        if: ${{ always() }}
+        run: |
+          buildevents step $TRACE_ID $STEP_ID $STEP_START 'Bundler Setup'
+          echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-3 >> $GITHUB_ENV
+          echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+      - name: Provision test environment
+        run: |
+          buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:provision ${{ matrix.platform }}' -- bundle exec rake 'litmus:provision[provision::provision_service,${{ matrix.platform }}]'
+          echo ::group::=== REQUEST ===
+          cat request.json || true
+          echo
+          echo ::endgroup::
+          echo ::group::=== INVENTORY ===
+          sed -e 's/password: .*/password: "[redacted]"/' < inventory.yaml || true
+          echo ::endgroup::
+
+      - name: Install agent
+        run: |
+          buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_agent ${{ matrix.collection }}' -- bundle exec rake 'litmus:install_agent[${{ matrix.collection }}]'
+
+      - name: Install module
+        run: |
+          buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_module' -- bundle exec rake 'litmus:install_module'
+
+      - name: "Honeycomb: Record deployment times"
+        if: ${{ always() }}
+        run: |
+          echo ::group::honeycomb step
+          buildevents step $TRACE_ID $STEP_ID $STEP_START 'Deploy test system'
+          echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-4 >> $GITHUB_ENV
+          echo STEP_START=$(date +%s) >> $GITHUB_ENV
+          echo ::endgroup::
+
+      - name: Run acceptance tests
+        run: |
+          buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:acceptance:parallel' -- bundle exec rake 'litmus:acceptance:parallel'
+
+      - name: "Honeycomb: Record acceptance testing times"
+        if: ${{ always() }}
+        run: |
+          buildevents step $TRACE_ID $STEP_ID $STEP_START 'Run acceptance tests'
+          echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-5 >> $GITHUB_ENV
+          echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+      - name: Remove test environment
+        if: ${{ always() }}
+        run: |
+          if [ -f inventory.yaml ]; then
+            buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:tear_down' -- bundle exec rake 'litmus:tear_down'
+            echo ::group::=== REQUEST ===
+            cat request.json || true
+            echo
+            echo ::endgroup::
+          fi
+
+      - name: "Honeycomb: Record removal times"
+        if: ${{ always() }}
+        run: |
+          buildevents step $TRACE_ID $STEP_ID $STEP_START 'Remove test environment'
diff --git a/.gitpod.Dockerfile b/.gitpod.Dockerfile
@@ -0,0 +1,18 @@
+FROM gitpod/workspace-full
+RUN sudo wget https://apt.puppet.com/puppet-tools-release-bionic.deb && \
+    wget https://apt.puppetlabs.com/puppet6-release-bionic.deb && \
+    sudo dpkg -i puppet6-release-bionic.deb && \
+    sudo dpkg -i puppet-tools-release-bionic.deb && \
+    sudo apt-get update && \
+    sudo apt-get install -y pdk zsh puppet-agent && \
+    sudo apt-get clean && \
+    sudo rm -rf /var/lib/apt/lists/*
+RUN sudo usermod -s $(which zsh) gitpod && \
+    sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" && \
+    echo "plugins=(git gitignore github gem pip bundler python ruby docker docker-compose)" >> /home/gitpod/.zshrc && \
+    echo 'PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin"'  >> /home/gitpod/.zshrc && \
+    sudo /opt/puppetlabs/puppet/bin/gem install puppet-debugger hub -N && \
+    mkdir -p /home/gitpod/.config/puppet && \
+    /opt/puppetlabs/puppet/bin/ruby -r yaml -e "puts ({'disabled' => true}).to_yaml" > /home/gitpod/.config/puppet/analytics.yml
+RUN rm -f puppet6-release-bionic.deb  puppet-tools-release-bionic.deb
+ENTRYPOINT /usr/bin/zsh
diff --git a/.gitpod.yml b/.gitpod.yml
@@ -0,0 +1,9 @@
+image:
+  file: .gitpod.Dockerfile
+
+tasks:
+  - init: pdk bundle install
+
+vscode:
+  extensions:
+    - puppet.puppet-vscode@1.0.0:oSzfTkDf6Cmc1jOjgW33VA==
diff --git a/.pdkignore b/.pdkignore
@@ -32,6 +32,7 @@
 /.gitignore
 /.gitlab-ci.yml
 /.pdkignore
+/.puppet-lint.rc
 /Rakefile
 /rakelib/
 /.rspec
@@ -40,3 +41,4 @@
 /.yardopts
 /spec/
 /.vscode/
+/.sync.yml
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -43,7 +43,7 @@ Style/BlockDelimiters:
 Style/BracesAroundHashParameters:
   Description: Braces are required by Ruby 2.7. Cop removed from RuboCop v0.80.0.
     See https://github.com/rubocop-hq/rubocop/pull/7643
-  Enabled: true
+  Enabled: false
 Style/ClassAndModuleChildren:
   Description: Compact style reduces the required amount of indentation.
   EnforcedStyle: compact

diff --git a/.sync.yml b/.sync.yml
@@ -2,29 +2,42 @@
 ".gitlab-ci.yml":
   delete: true
 ".travis.yml":
-  global_env: 
+  dist: trusty # acceptance tests have stopped working on newer versions - probably related to docker behaviour
+  global_env:
     - HONEYCOMB_WRITEKEY="7f3c63a70eecc61d635917de46bea4e6",HONEYCOMB_DATASET="litmus tests"
   deploy_to_forge:
     enabled: false
   branches:
-  - release
+    - release
   use_litmus: true
   litmus:
     provision_list:
-    - ---travis_el
-    - travis_deb
-    - travis_el7
+      - ---travis_el
+      - travis_deb
+      - travis_el7
     complex:
-    - collection:
-        puppet_collection:
-        - puppet6
-        provision_list:
-        - travis_ub_6
-    - collection:
-        puppet_collection:
-        - puppet5
-        provision_list:
-        - travis_ub_5
+      - collection:
+          puppet_collection:
+            - puppet6
+          provision_list:
+            - travis_ub_6
+      - collection:
+          puppet_collection:
+            - puppet5
+          provision_list:
+            - travis_ub_5
+      - collection:
+          puppet_collection:
+            - puppet5
+          provision_list:
+            - travis_el8
+          dist: xenial
+      - collection:
+          puppet_collection:
+            - puppet6
+          provision_list:
+            - travis_el8
+          dist: xenial
   simplecov: true
   notifications:
     slack:
@@ -34,10 +47,18 @@ appveyor.yml:
 Gemfile:
   optional:
     ":development":
-    - gem: github_changelog_generator
-      git: https://github.com/skywinder/github-changelog-generator
-      ref: 20ee04ba1234e9e83eb2ffb5056e23d641c7a018
-      condition: Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')
+      - gem: github_changelog_generator
+        git: https://github.com/skywinder/github-changelog-generator
+        ref: 20ee04ba1234e9e83eb2ffb5056e23d641c7a018
+        condition: Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')
 spec/spec_helper.rb:
   mock_with: ":rspec"
   coverage_report: true
+.gitpod.Dockerfile:
+  unmanaged: false
+.gitpod.yml:
+  unmanaged: false
+.github/workflows/nightly.yml:
+  unmanaged: false
+.github/workflows/pr_test.yml:
+  unmanaged: false
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,6 @@
 ---
 os: linux
-dist: xenial
+dist: trusty
 language: ruby
 cache: bundler
 before_install:
@@ -33,7 +33,6 @@ jobs:
       - "bundle exec rake 'litmus:install_agent[puppet6]'"
       - "bundle exec rake litmus:install_module"
       bundler_args:
-      dist: trusty
       env: PLATFORMS=travis_ub_6_puppet6
       rvm: 2.5.7
       script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
@@ -45,19 +44,41 @@ jobs:
       - "bundle exec rake 'litmus:install_agent[puppet5]'"
       - "bundle exec rake litmus:install_module"
       bundler_args:
-      dist: trusty
       env: PLATFORMS=travis_ub_5_puppet5
       rvm: 2.5.7
       script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
       services: docker
       stage: acceptance
+    -
+      before_script:
+      - "bundle exec rake 'litmus:provision_list[travis_el8]'"
+      - "bundle exec rake 'litmus:install_agent[puppet5]'"
+      - "bundle exec rake litmus:install_module"
+      bundler_args:
+      dist: xenial
+      env: PLATFORMS=travis_el8_puppet5
+      rvm: 2.5.7
+      script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
+      services: docker
+      stage: acceptance
+    -
+      before_script:
+      - "bundle exec rake 'litmus:provision_list[travis_el8]'"
+      - "bundle exec rake 'litmus:install_agent[puppet6]'"
+      - "bundle exec rake litmus:install_module"
+      bundler_args:
+      dist: xenial
+      env: PLATFORMS=travis_el8_puppet6
+      rvm: 2.5.7
+      script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
+      services: docker
+      stage: acceptance
     -
       before_script:
       - "bundle exec rake 'litmus:provision_list[travis_deb]'"
       - "bundle exec rake 'litmus:install_agent[puppet5]'"
       - "bundle exec rake litmus:install_module"
       bundler_args:
-      dist: trusty
       env: PLATFORMS=travis_deb_puppet5
       rvm: 2.5.7
       script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
@@ -69,7 +90,6 @@ jobs:
       - "bundle exec rake 'litmus:install_agent[puppet5]'"
       - "bundle exec rake litmus:install_module"
       bundler_args:
-      dist: trusty
       env: PLATFORMS=travis_el7_puppet5
       rvm: 2.5.7
       script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
@@ -81,7 +101,6 @@ jobs:
       - "bundle exec rake 'litmus:install_agent[puppet6]'"
       - "bundle exec rake litmus:install_module"
       bundler_args:
-      dist: trusty
       env: PLATFORMS=travis_deb_puppet6
       rvm: 2.5.7
       script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
@@ -93,7 +112,6 @@ jobs:
       - "bundle exec rake 'litmus:install_agent[puppet6]'"
       - "bundle exec rake litmus:install_module"
       bundler_args:
-      dist: trusty
       env: PLATFORMS=travis_el7_puppet6
       rvm: 2.5.7
       script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,19 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
+## [v2.8.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.0) (2020-12-14)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.7.0...v2.8.0)
+
+### Added
+
+- pdksync - \(feat\) - Add support for Puppet 7 [\#959](https://github.com/puppetlabs/puppetlabs-firewall/pull/959) ([daianamezdrea](https://github.com/daianamezdrea))
+- \(IAC-966\) - MODULES-10522: Add support for the --condition parameter [\#941](https://github.com/puppetlabs/puppetlabs-firewall/pull/941) ([adrianiurca](https://github.com/adrianiurca))
+
+### Fixed
+
+- Restore copyright names [\#951](https://github.com/puppetlabs/puppetlabs-firewall/pull/951) ([hunner](https://github.com/hunner))
+
 ## [v2.7.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.7.0) (2020-10-15)
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.6.0...v2.7.0)
@@ -152,7 +165,6 @@ All notable changes to this project will be documented in this file. The format
 - Changed regex for iniface and outiface to allow '@' in interface names [\#791](https://github.com/puppetlabs/puppetlabs-firewall/pull/791) ([GeorgeCox](https://github.com/GeorgeCox))
 - \(MODULES-8214\) Handle src\_type and dst\_type as array [\#790](https://github.com/puppetlabs/puppetlabs-firewall/pull/790) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic))
 - \(MODULES-7990\) Merge multiple comments into one while parsing rules [\#789](https://github.com/puppetlabs/puppetlabs-firewall/pull/789) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic))
-- add -g flag handling in ip6tables.rb provider [\#788](https://github.com/puppetlabs/puppetlabs-firewall/pull/788) ([cestith](https://github.com/cestith))
 - \(MODULES-7681\) Add support for bytecode property [\#771](https://github.com/puppetlabs/puppetlabs-firewall/pull/771) ([baurmatt](https://github.com/baurmatt))
 
 ### Fixed

diff --git a/Gemfile b/Gemfile
@@ -23,14 +23,13 @@ group :development do
   gem "json", '= 1.8.1',                                         require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9')
   gem "json", '= 2.0.4',                                         require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.1.0',                                         require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.3.0',                                         require: false if Gem::Requirement.create(['>= 2.7.0', '< 2.8.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "rb-readline", '= 0.5.5',                                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
   gem "puppet-module-posix-default-r#{minor_version}", '~> 0.4', require: false, platforms: [:ruby]
   gem "puppet-module-posix-dev-r#{minor_version}", '~> 0.4',     require: false, platforms: [:ruby]
   gem "puppet-module-win-default-r#{minor_version}", '~> 0.4',   require: false, platforms: [:mswin, :mingw, :x64_mingw]
   gem "puppet-module-win-dev-r#{minor_version}", '~> 0.4',       require: false, platforms: [:mswin, :mingw, :x64_mingw]
   gem "github_changelog_generator",                              require: false, git: 'https://github.com/skywinder/github-changelog-generator', ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018' if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')
-  gem 'ed25519', '>= 1.2', '< 2.0'
-  gem 'bcrypt_pbkdf', '>= 1.0', '< 2.0'
 end
 
 puppet_version = ENV['PUPPET_GEM_VERSION']

diff --git a/NOTICE b/NOTICE
@@ -1,6 +1,14 @@
 Puppet Module - puppetlabs-firewall
 
 Copyright 2018 Puppet, Inc.
+Copyright 2011 Jonathan Boyett
+Copyright 2011 Media Temple, Inc.
+
+Some of the iptables code was taken from puppet-iptables which was:
+
+Copyright 2011 Bob.sh Limited
+Copyright 2008 Camptocamp Association
+Copyright 2007 Dmitri Priimak
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -12,4 +20,4 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License.
+limitations under the License.
diff --git a/README.md b/README.md
@@ -476,6 +476,20 @@ To prevent this issue, do not use MCollective to kick off Puppet runs. Use any o
 * Use a cron job.
 * Click [Run Puppet](https://docs.puppet.com/pe/2016.1/console_classes_groups_running_puppet.html#run-puppet-on-an-individual-node) in the console.
 
+### condition parameter
+
+The `condition` parameter requires `xtables-addons` to be installed locally.
+For ubuntu distributions `xtables-addons-common` package can be installed by running command: `apt-get install xtables-addons-common` or
+running a manifest:
+
+```puppet
+package { 'xtables-addons-common':
+  ensure => 'latest',
+}
+```
+
+For other distributions (RedHat, Debian, Centos etc) manual installation of the `xtables-addons` package is required.
+
 #### Reporting Issues
 
 Please report any bugs in the Puppetlabs JIRA issue tracker:

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -147,6 +147,8 @@ installed.
 
   * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
 
+  * condition: Match if a specific condition variable is (un)set (requires xtables-addons)
+
   * connection_limiting: Connection limiting features.
 
   * conntrack: Connection tracking features.
@@ -335,6 +337,10 @@ Valid values: `%r{\d+}`
 Used with the CLUSTERIP jump target.
 Number of total nodes within this cluster.
 
+##### `condition`
+
+Match on boolean value (0/1) stored in /proc/net/nf_condition/name.
+
 ##### `connlimit_above`
 
 Valid values: `%r{^\d+$}`

diff --git a/Rakefile b/Rakefile
@@ -52,36 +52,35 @@ if Bundler.rubygems.find_name('github_changelog_generator').any?
     config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
     config.add_pr_wo_labels = true
     config.issues = false
-    config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM"
+    config.merge_prefix = "### UNCATEGORIZED PRS; LABEL THEM ON GITHUB"
     config.configure_sections = {
       "Changed" => {
         "prefix" => "### Changed",
         "labels" => ["backwards-incompatible"],
       },
       "Added" => {
         "prefix" => "### Added",
-        "labels" => ["feature", "enhancement"],
+        "labels" => ["enhancement", "feature"],
       },
       "Fixed" => {
         "prefix" => "### Fixed",
-        "labels" => ["bugfix"],
+        "labels" => ["bug", "documentation", "bugfix"],
       },
     }
   end
 else
   desc 'Generate a Changelog from GitHub'
   task :changelog do
     raise <<EOM
-The changelog tasks depends on unreleased features of the github_changelog_generator gem.
+The changelog tasks depends on recent features of the github_changelog_generator gem.
 Please manually add it to your .sync.yml for now, and run `pdk update`:
 ---
 Gemfile:
   optional:
     ':development':
       - gem: 'github_changelog_generator'
-        git: 'https://github.com/skywinder/github-changelog-generator'
-        ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018'
-        condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')"
+        version: '~> 1.15'
+        condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')"
 EOM
   end
 end

diff --git a/data/common.yaml b/data/common.yaml
@@ -0,0 +1 @@
+--- {}
diff --git a/hiera.yaml b/hiera.yaml
@@ -0,0 +1,21 @@
+---
+version: 5
+
+defaults:  # Used for any hierarchy level that omits these keys.
+  datadir: data         # This path is relative to hiera.yaml's directory.
+  data_hash: yaml_data  # Use the built-in YAML backend.
+
+hierarchy:
+  - name: "osfamily/major release"
+    paths:
+        # Used to distinguish between Debian and Ubuntu
+      - "os/%{facts.os.name}/%{facts.os.release.major}.yaml"
+      - "os/%{facts.os.family}/%{facts.os.release.major}.yaml"
+        # Used for Solaris
+      - "os/%{facts.os.family}/%{facts.kernelrelease}.yaml"
+  - name: "osfamily"
+    paths:
+      - "os/%{facts.os.name}.yaml"
+      - "os/%{facts.os.family}.yaml"
+  - name: 'common'
+    path: 'common.yaml'
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -2,6 +2,7 @@
   @doc = 'Ip6tables type provider'
 
   has_feature :iptables
+  has_feature :condition
   has_feature :connection_limiting
   has_feature :conntrack
   has_feature :hop_limiting
@@ -83,6 +84,7 @@ def self.iptables_save(*args)
     burst: '--limit-burst',
     checksum_fill: '--checksum-fill',
     clamp_mss_to_pmtu: '--clamp-mss-to-pmtu',
+    condition: '--condition',
     connlimit_above: '-m connlimit --connlimit-above',
     connlimit_mask: '--connlimit-mask',
     connmark: '-m connmark --mark',
@@ -250,6 +252,7 @@ def self.iptables_save(*args)
     addrtype: [:src_type, :dst_type],
     iprange: [:src_range, :dst_range],
     owner: [:uid, :gid],
+    condition: [:condition],
     conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
                 :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir],
     time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone],
@@ -308,5 +311,5 @@ def self.iptables_save(*args)
                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
                     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
                     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name, :notrack]
+                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :condition, :name, :notrack]
 end
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -7,6 +7,7 @@
   @doc = 'Iptables type provider'
 
   has_feature :iptables
+  has_feature :condition
   has_feature :connection_limiting
   has_feature :conntrack
   has_feature :rate_limiting
@@ -75,6 +76,7 @@
     burst: '--limit-burst',
     checksum_fill: '--checksum-fill',
     clamp_mss_to_pmtu: '--clamp-mss-to-pmtu',
+    condition: '--condition',
     connlimit_above: '-m connlimit --connlimit-above',
     connlimit_mask: '--connlimit-mask',
     connmark: '-m connmark --mark',
@@ -252,6 +254,7 @@
     addrtype: [:src_type, :dst_type],
     iprange: [:src_range, :dst_range],
     owner: [:uid, :gid],
+    condition: [:condition],
     conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
                 :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir],
     time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone],
@@ -348,7 +351,7 @@ def munge_resource_map_from_resource(resource_map_original, compare)
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :name, :notrack
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :condition, :name, :notrack
   ]
 
   def insert
@@ -452,6 +455,8 @@ def self.rule_to_hash(line, table, counter)
     values = values.gsub(%r{(!\s+)?--tcp-flags (\S*) (\S*)}, '--tcp-flags "\1\2 \3"')
     # --hex-string output is in quotes, need to move ! inside quotes
     values = values.gsub(%r{(!\s+)?--hex-string "(\S*?)"}, '--hex-string "\1\2"')
+    # --condition output is in quotes, need to move ! inside quotes
+    values.gsub!(%r{(!\s+)?--condition "(\S*?)"}, '--condition "\1\2"')
     # --match-set can have multiple values with weird iptables format
     if values =~ %r{-m set (!\s+)?--match-set}
       values = values.gsub(%r{(!\s+)?--match-set (\S*) (\S*)}, '--match-set \1\2 \3')
@@ -653,6 +658,7 @@ def self.rule_to_hash(line, table, counter)
     # Invert any rules that are prefixed with a '!'
     [
       :connmark,
+      :condition,
       :ctstate,
       :ctproto,
       :ctorigsrc,

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
@@ -56,6 +56,8 @@
 
       * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
 
+      * condition: Match if a specific condition variable is (un)set (requires xtables-addons)
+
       * connection_limiting: Connection limiting features.
 
       * conntrack: Connection tracking features.
@@ -146,6 +148,7 @@
   PUPPETCODE
 
   feature :connection_limiting, 'Connection limiting features.'
+  feature :condition, 'Match if a specific condition variable is (un)set.'
   feature :conntrack, 'Connection tracking features.'
   feature :hop_limiting, 'Hop limiting features.'
   feature :rate_limiting, 'Rate limiting features.'
@@ -2248,6 +2251,19 @@ def should_to_s(value)
     newvalues(:true, :false)
   end
 
+  newproperty(:condition, required_features: :condition) do
+    desc <<-PUPPETCODE
+      Match on boolean value (0/1) stored in /proc/net/nf_condition/name.
+    PUPPETCODE
+    validate do |value|
+      unless value.is_a?(String)
+        raise ArgumentError, <<-PUPPETCODE
+          Condition must be a string.
+        PUPPETCODE
+      end
+    end
+  end
+
   autorequire(:firewallchain) do
     reqs = []
     protocol = nil

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-firewall",
-  "version": "2.7.0",
+  "version": "2.8.0",
   "author": "puppetlabs",
   "summary": "Manages Firewalls such as iptables",
   "license": "Apache-2.0",
@@ -75,10 +75,10 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 5.5.10 < 7.0.0"
+      "version_requirement": ">= 5.5.10 < 8.0.0"
     }
   ],
   "template-url": "https://github.com/puppetlabs/pdk-templates#main",
-  "template-ref": "heads/main-0-g88b05c7",
-  "pdk-version": "1.17.0"
+  "template-ref": "heads/main-0-g62126e1",
+  "pdk-version": "1.18.1"
 }
diff --git a/provision.yaml b/provision.yaml
@@ -1,28 +1,96 @@
 ---
 default:
   provisioner: docker
-  images: ['litmusimage/centos:7']
+  images:
+  - litmusimage/centos:7
 vagrant:
   provisioner: vagrant
-  images: ['centos/7', 'generic/ubuntu1804']
+  images:
+  - centos/7
+  - generic/ubuntu1804
 travis_deb:
   provisioner: docker
-  images: ['litmusimage/debian:8', 'litmusimage/debian:9'] # 'litmusimage/debian10' removed due to failures present only on Docker
+  images:
+  - litmusimage/debian:8
+  - litmusimage/debian:9
 travis_ub_5:
   provisioner: docker
-  images: ['litmusimage/ubuntu:14.04', 'litmusimage/ubuntu:16.04', 'litmusimage/ubuntu:18.04']
+  images:
+  - litmusimage/ubuntu:14.04
+  - litmusimage/ubuntu:16.04
+  - litmusimage/ubuntu:18.04
 travis_ub_6:
   provisioner: docker
-  images: ['litmusimage/ubuntu:14.04', 'litmusimage/ubuntu:16.04', 'litmusimage/ubuntu:18.04', 'litmusimage/ubuntu:20.04']
-travis_el6:
-  provisioner: docker
-  images: []
+  images:
+  - litmusimage/ubuntu:14.04
+  - litmusimage/ubuntu:16.04
+  - litmusimage/ubuntu:18.04
+  - litmusimage/ubuntu:20.04
 travis_el7:
   provisioner: docker
-  images: ['litmusimage/centos:7']
+  images:
+  - litmusimage/centos:7
+travis_el8:
+  provisioner: docker
+  images:
+  - litmusimage/centos:8
 release_checks_5:
   provisioner: abs
-  images: ['redhat-5-x86_64', 'redhat-6-x86_64', 'redhat-7-x86_64', 'redhat-8-x86_64', 'centos-5-x86_64', 'centos-6-x86_64', 'centos-7-x86_64', 'centos-8-x86_64', 'oracle-6-x86_64', 'scientific-6-x86_64', 'scientific-7-x86_64', 'debian-8-x86_64', 'debian-9-x86_64', 'debian-10-x86_64', 'sles-12-x86_64', 'sles-15-x86_64', 'ubuntu-1404-x86_64', 'ubuntu-1604-x86_64', 'ubuntu-1804-x86_64']
+  images:
+  - redhat-5-x86_64
+  - redhat-6-x86_64
+  - redhat-7-x86_64
+  - redhat-8-x86_64
+  - centos-5-x86_64
+  - centos-6-x86_64
+  - centos-7-x86_64
+  - centos-8-x86_64
+  - oracle-6-x86_64
+  - scientific-6-x86_64
+  - scientific-7-x86_64
+  - debian-8-x86_64
+  - debian-9-x86_64
+  - debian-10-x86_64
+  - sles-12-x86_64
+  - sles-15-x86_64
+  - ubuntu-1404-x86_64
+  - ubuntu-1604-x86_64
+  - ubuntu-1804-x86_64
 release_checks_6:
   provisioner: abs
-  images: ['redhat-5-x86_64', 'redhat-6-x86_64', 'redhat-7-x86_64', 'redhat-8-x86_64', 'centos-5-x86_64', 'centos-6-x86_64', 'centos-7-x86_64', 'centos-8-x86_64', 'oracle-6-x86_64', 'scientific-6-x86_64', 'scientific-7-x86_64', 'debian-8-x86_64', 'debian-9-x86_64', 'debian-10-x86_64', 'sles-12-x86_64', 'sles-15-x86_64', 'ubuntu-1404-x86_64', 'ubuntu-1604-x86_64', 'ubuntu-1804-x86_64', 'ubuntu-2004-x86_64']
+  images:
+  - redhat-5-x86_64
+  - redhat-6-x86_64
+  - redhat-7-x86_64
+  - redhat-8-x86_64
+  - centos-5-x86_64
+  - centos-6-x86_64
+  - centos-7-x86_64
+  - centos-8-x86_64
+  - oracle-6-x86_64
+  - scientific-6-x86_64
+  - scientific-7-x86_64
+  - debian-8-x86_64
+  - debian-9-x86_64
+  - debian-10-x86_64
+  - sles-12-x86_64
+  - sles-15-x86_64
+  - ubuntu-1404-x86_64
+  - ubuntu-1604-x86_64
+  - ubuntu-1804-x86_64
+  - ubuntu-2004-x86_64
+release_checks_7:
+  provisioner: abs
+  images:
+  - redhat-7-x86_64
+  - redhat-8-x86_64
+  - centos-7-x86_64
+  - centos-8-x86_64
+  - oracle-7-x86_64
+  - scientific-7-x86_64
+  - sles-12-x86_64
+  - sles-15-x86_64
+  - debian-9-x86_64
+  - debian-10-x86_64
+  - ubuntu-1804-x86_64
+  - ubuntu-2004-x86_64
diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb
@@ -19,7 +19,7 @@
   # Skipping those from which we know they would fail.
   describe 'bytecode property', unless: (os[:family] == 'redhat' && os[:release][0] <= '6') ||
                                         (os[:family] == 'sles' && os[:release][0..1] <= '11') ||
-                                        (os[:family] == 'oraclelinux' && os[:release][0] <= '7') ||
+                                        (fetch_os_name == 'oraclelinux' && os[:release][0] <= '7') ||
                                         (os[:family] == 'ubuntu') do
     describe 'bytecode' do
       context '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' do
@@ -1316,7 +1316,7 @@ class { '::firewall': }
           hashlimit_name          => 'upto',
           hashlimit_upto          => '16/sec',
           hashlimit_burst         => '640',
-          hashlimit_htable_size   => '1310000',
+          hashlimit_htable_size   => '1000000',
           hashlimit_htable_max    => '320000',
           hashlimit_htable_expire => '36000000',
           action                  => accept,
@@ -1335,7 +1335,7 @@ class { '::firewall': }
       end
     end
     it 'hashlimit_upto is set' do
-      expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1310000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length
+      expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length
     end
   end
 
@@ -1369,4 +1369,31 @@ class { '::firewall': }
       expect(result.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE})
     end
   end
+
+  describe 'condition', condition_parameter_test: false do
+    context 'is set' do
+      pp = <<-PUPPETCODE
+        if $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '14.04') > 0 {
+          firewall { '010 isblue ipv4':
+            ensure    => 'present',
+            condition => '! isblue',
+            chain     => 'INPUT',
+            iniface   => 'enp0s8',
+            proto     => 'icmp',
+            action    => 'drop',
+          }
+        }
+      PUPPETCODE
+      it 'applies' do
+        apply_manifest(pp)
+      end
+      if fetch_os_name == 'ubuntu' && os[:release].to_i > 14
+        it 'contains the rule' do
+          run_shell('iptables-save') do |r|
+            expect(r.stdout).to match(%r{-A INPUT -i enp0s8 -p icmp -m condition ! --condition "isblue"  -m comment --comment "010 isblue ipv4" -j DROP})
+          end
+        end
+      end
+    end
+  end
 end
diff --git a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb
@@ -376,7 +376,7 @@ class { '::firewall': }
           hashlimit_name          => 'upto-ip6',
           hashlimit_upto          => '16/sec',
           hashlimit_burst         => '640',
-          hashlimit_htable_size   => '1310000',
+          hashlimit_htable_size   => '1000000',
           hashlimit_htable_max    => '320000',
           hashlimit_htable_expire => '36000000',
           action                  => accept,
@@ -434,7 +434,7 @@ class { '::firewall': }
       expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
     end
     it 'hashlimit_name set to "upto-ip6"' do
-      expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1310000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length
+      expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length
     end
     it 'match_mark is set' do
       expect(result.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable})

diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb
@@ -8,7 +8,16 @@
     # In order to properly check stderr for anomalies we need to fix the deprecation warnings from puppet.conf.
     config = run_shell('puppet config print config').stdout
     run_shell("sed -i -e \'s/^templatedir.*$//\' #{config}")
-    run_shell('echo export LC_ALL=C > ~/.bashrc')
+    if fetch_os_name == 'redhat' && [6, 7].include?(os[:release].to_i)
+      run_shell('echo export LC_ALL="C" > /etc/profile.d/my-custom.lang.sh')
+      run_shell('echo "## US English ##" >> /etc/profile.d/my-custom.lang.sh')
+      run_shell('echo export LANG=en_US.UTF-8 >> /etc/profile.d/my-custom.lang.sh')
+      run_shell('echo export LANGUAGE=en_US.UTF-8 >> /etc/profile.d/my-custom.lang.sh')
+      run_shell('echo export LC_COLLATE=C >> /etc/profile.d/my-custom.lang.sh')
+      run_shell('echo export LC_CTYPE=en_US.UTF-8 >> /etc/profile.d/my-custom.lang.sh')
+      run_shell('source /etc/profile.d/my-custom.lang.sh')
+    end
+    run_shell('echo export LC_ALL="C" >> ~/.bashrc')
     run_shell('source ~/.bashrc')
   end
 

diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb
@@ -7,52 +7,68 @@ class LitmusHelper
 
 def iptables_flush_all_tables
   ['filter', 'nat', 'mangle', 'raw'].each do |t|
-    expect(run_shell("iptables -t #{t} -F").stderr).to eq('')
+    expect(LitmusHelper.instance.run_shell("iptables -t #{t} -F").stderr).to eq('')
   end
 end
 
 def ip6tables_flush_all_tables
   ['filter', 'mangle'].each do |t|
-    expect(run_shell("ip6tables -t #{t} -F").stderr).to eq('')
+    expect(LitmusHelper.instance.run_shell("ip6tables -t #{t} -F").stderr).to eq('')
   end
 end
 
 def install_iptables
-  run_shell('iptables -V')
+  LitmusHelper.instance.run_shell('iptables -V')
 rescue
   if os[:family] == 'redhat'
-    run_shell('yum install iptables-services -y')
+    LitmusHelper.instance.run_shell('yum install iptables-services -y')
   else
-    run_shell('apt-get install iptables -y')
+    LitmusHelper.instance.run_shell('apt-get install iptables -y')
   end
 end
 
 def iptables_version
   install_iptables
-  x = run_shell('iptables -V')
+  x = LitmusHelper.instance.run_shell('iptables -V')
   x.stdout.split(' ')[1][1..-1]
 end
 
 def pre_setup
-  run_shell('mkdir -p /lib/modules/`uname -r`')
-  run_shell('depmod -a')
+  LitmusHelper.instance.run_shell('mkdir -p /lib/modules/`uname -r`')
+  LitmusHelper.instance.run_shell('depmod -a')
 end
 
 def update_profile_file
-  run_shell("sed -i '/mesg n/c\\test -t 0 && mesg n || true' ~/.profile")
-  run_shell("sed -i '/mesg n || true/c\\test -t 0 && mesg n || true' ~/.profile")
+  LitmusHelper.instance.run_shell("sed -i '/mesg n/c\\test -t 0 && mesg n || true' ~/.profile")
+  LitmusHelper.instance.run_shell("sed -i '/mesg n || true/c\\test -t 0 && mesg n || true' ~/.profile")
+end
+
+def fetch_os_name
+  @facter_os_name ||= LitmusHelper.instance.run_shell('facter os.name').stdout.delete("\n").downcase
 end
 
 RSpec.configure do |c|
+  # This flag is disabling test 'condition' from firewall_attributes_exceptions
+  # because this test is failing on docker containers, but it's compatible with vmpooler machines
+  # To enable tests on abs/vmpooler machines just set to `true` this flag
+  c.filter_run_excluding condition_parameter_test: false
   c.before :suite do
+    if fetch_os_name == 'centos' && os[:release].to_i == 8
+      pp = <<-PUPPETCODE
+        package { 'iptables-services':
+          ensure => 'latest',
+        }
+        package { 'policycoreutils':
+          ensure => 'latest',
+        }
+      PUPPETCODE
+      LitmusHelper.instance.apply_manifest(pp)
+    end
     if os[:family] == 'debian' && os[:release].to_i == 10
       pp = <<-PUPPETCODE
         package { 'net-tools':
           ensure   => 'latest',
         }
-        package { 'iptables':
-          ensure   => 'latest',
-        }
         PUPPETCODE
       LitmusHelper.instance.apply_manifest(pp)
       LitmusHelper.instance.run_shell('update-alternatives --set iptables /usr/sbin/iptables-legacy', expect_failures: true)
@@ -62,6 +78,12 @@ def update_profile_file
       package { 'conntrack-tools':
         ensure => 'latest',
       }
+      package { 'xtables-addons-common':
+        ensure => 'latest',
+      }
+      package { 'iptables':
+        ensure   => 'latest',
+      }
     PUPPETCODE
     LitmusHelper.instance.apply_manifest(pp)
   end

diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
@@ -823,6 +823,13 @@
     end
   end
 
+  describe ':condition' do
+    it 'accepts value as a string' do
+      resource[:condition] = 'somefile'
+      expect(resource[:condition]).to eq('somefile')
+    end
+  end
+
   describe 'autorequire packages' do
     [:iptables, :ip6tables].each do |provider|
       it "provider #{provider} should autorequire package iptables" do